Joint ventures by US tech firms with China pose cyberwar risk: report

Should conflict occur, China's cyberwar plans target the U.S., and today's Chinese joint ventures with U.S. manufacturers in hardware, software and telecommunications create a "potential vector" for the People's Liberation Army (PLA) to exploit and compromise, says a report from the U.S.-China Economic and Security Review Commission sent to Capitol Hill today.

The report, "Occupying the Information High Ground: Chinese Capabilities for Computer Network Operations and Cyber Espionage," was researched under mandate by Congress when it first formed the external Washington, D.C.-based U.S.-China Economic Security Review Commission to undertake ongoing research about relations between the two countries. The report, written by information security analysts from Northrop Grumman, says that leaders in the Chinese People's Liberation Army (PLA) "have embraced the idea that successful warfighting is predicated on the ability to exert control over an adversary's information and information systems, often preemptively."

The report claims China is actively planning out how it could attack U.S. military operations. The report also notes that at least 50 civilian universities in China are receiving funding aimed at developing cyberwar capabilities for the military under at least five established national grant programs.

A cyberstrike could occur in advance of any physical military confrontation, the report states. "Chinese commanders may elect to use deep access to critical U.S. networks carrying logistics and command and control data to collect highly valuable real-time intelligence or to corrupt the data without destroying the networks or hardware."

The report says evidence it has compiled, mainly from PLA, Chinese government and non-proprietary sources, shows that China does want to be prepared to launch a cyberwar strike on the U.S. in the event of a conflict. The report goes on to claim that joint venture relationships between Chinese and non-Chinese hardware, software and telecom providers represent a "risk" from the U.S. point of view.

The report notes that possible tampering could occur in hardware such as routers and switches from China. And it states, "Deliberate modifications of semiconductors upstream of final product assembly and delivery could have subtle or catastrophic effects. An adversary with the capability to gain covert access and monitoring of sensitive systems could degrade a system's mission effectiveness, insert false information or instructions to cause premature failure or complete remote control or destruction of the targeted system."

Collaboration between U.S. and Chinese information security firms, according to the report, "has raised concerns over the potential for illicit access to sensitive network vulnerability data at a time when the volume of reporting about Chinese computer network exploitation activities directed against U.S. commercial and government entities remains steady."

The report takes a dim view of partnerships between "U.S. or other Western information security firms and Chinese IT and high-tech firms," saying there are risks "primarily related to the loss of intellectual property and erosion of long-term competitiveness, the same threats faced by many U.S. companies in other sectors entering partnerships in China."

The report singles out the joint venture between Huawei Shenzhen Technology Company Ltd. and Symantec, under which for almost four years Symantec shared its security and storage technologies with Huawei to include in its telecom equipment. Symantec CEO Enrique Salem announced the joint venture had ended in November 2011, saying the two companies had decided it would be best to consolidate the venture under one owner. Huawei, which bought out Symantec for $530 million, still licenses Symantec's technologies.

"Partnering with an American or other Western anti-virus vendor does not necessarily allow the Chinese partner to obtain signature data earlier than legitimate participation in industry consortia such as the Microsoft Virus Information Alliance, but it may provide the Chinese partner with deeper access to U.S. markets over the long term," the report said.

Huawei is the large China-based telecom equipment and service provider which has been seeking to expand business in the U.S. the past few years even as the atmosphere has grown more tense as several U.S. companies, including Google, have spoken of cyber-espionage carried out by what appeared to be attacks out of China.

Neither Symantec nor Huawei had immediate comment regarding the report. However, William Plummer, vice president of external communications at Huawei, who spoke with Network World last week about these topics, says assertions made in a Wall Street Journal story late last year that Huawei was helping Iran conduct cyber-surveillance against its citizens, especially dissidents, simply isn't true.

Plummer said Huawei's telecom equipment does have the equivalent of a backdoor for government use, but it is the same kind that is mandated in equipment by the U.S. under the Communications Assistance for Law Enforcement (CALEA) laws in the U.S. This kind of interface is there for governments around the world, he notes.

"Every government on this planet has a shared concern about security," Plummer said. He said Huawei, which did $32 billion in business last year, is not part of the Chinese government, although its founder, Ren Zhengfei, is an ex-Army officer in the PLA. However, a number of U.S. lawmakers are pushing to investigate Huawei and its ties to Iran, especially as concerns the WSJ's allegations of tracking of wireless mobile use in Iran.

In general, cyber-espionage is a fact of life today, Plummer acknowledged. Based on his own experience in the U.S. foreign service, he noted, "I believe there's hacking of all sorts" by Russia, China and the U.S.

Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security.

Copyright 2018 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.